Is Your Data Security Program Lost in the Weeds?

Assouline & Berlowe

“I.R.S. Adds New Safeguards to Thwart Identity Theft and Fraud”

 “Federal Data Compromised at OPM and Interior; Could Affect 4 Million People”

 “North Shore (University Hospital) Warns About 18,000 Patients of Potential Data Breach”

 “Massive Data Breach Affects Hundreds of Miami-Dade County”

As you check your incoming morning email; malware surreptitiously checks your every keystroke and monitors your cyber movements. At your doctor’s office you provided enumerable consent and other extremely personal and confidential information forms; then, within earshot of waiting patients, the receptionist announces your social security number to a colleague. You buy a new condo, providing the Condo Association Board an approval application with your family’s personal and financial history; now your neighbors “know your business!”

The headlines are real; the scenarios occur every day. Scenarios endemic to the hyperbolic expansion of technological innovation, the public’s enchantment and dependence on B2C and social media, and the progressively steep upward trend in information creation and cyber monitoring. Information (“Data”) creates Knowledge; and Knowledge is Power! In the era of “Big Data,” confidential personal and proprietary business Data, mishandled or acquired without authorization by third parties, may have disastrous consequences to the Data Owner.

“In the day,” businesses focused Document (Record) Retention Policies and Programs. Internally-focused initiatives to identify proprietary or sensitive documented information required for possible future use (e.g., government regulations, tax audits); that may be needed to respond to customer, client, or other third-party complaints or litigation (e.g., contracts and collateral documents); and for general historical or other purposes (e.g., corporate or business records). Today, with Information Technology’s potentially illegitimate intrusion in personal privacy, these initiatives must also include externally-focused component to protect those privacy interests.

A company (or other Data Custodian with legitimately acquired Data Owner information) should establish a Data Breach Security Plan with policies and practices for the handling of sensitive Data Owner information. The Plan identifies and “ring-fences” sensitive Data Owner information; sets parameters for limited or “need-to-know access;” identifies potential live and IT systems Data Breach threats; and establishes a Data Breach Response Procedure to adequately notify a Data Owner where his or her information has been compromised.

Florida, along with a number of states, however, have recently begun to actively legislate and establish statutory schemes. Florida’s Information Protection Act of 2014 (“Security of Confidential Information) requires businesses, and government, to take “reasonable measures to protect and secure personal information.” If a Florida business collects personal information, it is now required to establish and maintain a Data Security Program. Once the business, or government entity, acquires personally identifiable information, it is obliged to safeguard the information; and, where appropriate, have a prescribed plan for the information’s destruction or return.  Specified Data includes:

  • social security number;
  • driver’s license or identification card number, passport number, military identification number, or other similar personal identifier issued on a government document used to verify identity;
  • financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
  • financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary  to permit access to an individual’s financial account;
  • information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
  • health insurance policy number or subscriber identification number as well as any unique identifier used by a health insurer to identify that person.

Under the Statute, a Florida business or other “covered entity” ” must notify the Attorney General, in writing, no later than 30 days after a Data Breach or possible Data Breach. That is “any breach of security affecting 500 or more individuals in this state.” The notice must include:

When a Data Breach occurs; that is where there is “unauthorized access of data in electronic form containing personal information.” More broadly, when specific third-party “sensitive, protected, or confidential information has potentially, been viewed, stolen, or used by an individual not so authorized.” For example, where a physician’s laptop is lost or stolen; or where a company IT system has been “hacked.” Parenthetically, insurance companies are now offering Data Breach Insurance.

  1. A synopsis of the events surrounding the breach
  2. The number of individuals in this state who were or potentially have been affected by the breach
  3. Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services
  4. A copy of the notice to the individuals affected by the breach or an explanation of the other actions taken to notify the individuals affected by the breach
  5. The name, address, telephone number, and e-mail address of the employee or agent of the covered entity from whom additional information may be obtained about the breach

The Attorney General may also request additional information including: (a) a police report, incident report, or computer forensics report; (b) a copy of the policies in place regarding breaches; and (c) steps that have been taken to rectify the breach.

Although the Statute does not allow a private right of legal action, a Data breach is considered “deceptive trade practice.” Within the jurisdiction of the Department of Legal Affairs, violations are subject to injunctive relief and the following civil penalties: for failure to notify Data Owners:

  1. In the amount of $1,000 for each day up to the first 30 days following any violation and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days; and
  2. If the violation continues for more than 180 days, in an amount not to exceed $500,000.

The civil penalty assessed is for each breach, not for each individual affected by the breach.

Data Security and Data Privacy should be a major concern to individuals and business alike. The law in this area is evolving. It has become an important focus of business law practice.

For more information on Data Security Programs matters, please contact:

Carl H. Perdue, JD, LLM
Senior Counsel and Partner
Business and Finance

The above material is for information purposes only; and is not to be considered legal or financial advice.


1801 N. Military Trail, Suite 160

Boca Raton, Florida 33431

Main:  (561) 361-6566

Fax: (561) 361-6466


Leave a comment

Filed under Business Litigation, commercial litigation, Florida Bar, Intellectual Property, Labor & Employment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s